>>> What can be known is *how* TOR is being used by setting up studies at
>>> exits and seeing what kind of services people are connecting to.

>> Please don't do that, or suggest doing that. Sniffing or inspecting exit
>> traffic may be illegal in some jurisdictions, and will result in the BadExit
>> flag.

> How is this even possible? Surely, sniffing or inspecting traffic is
> inherently passive?


Ignoring the legal implications for a moment, and also the logical issue of how you'd "study" exit traffic and publish your findings without basically admitting to the world you've been intercepting users' traffic...

From the level of the Tor network and its directory authorities, I think it's only feasible to detect sniffing when "sslstrip" style attacks are used. I.e., it's possible to detect man-in-the-middle attacks where SSL is in place. I know this has been used to detect and flag bad exits in the past. I am not aware of trivial methods to detect passive sniffing of unencrypted traffic.